In a major ShinyHunters Canvas breach, the notorious extortion group has defaced login pages of approximately 330 educational institutions using Instructure’s Canvas platform. The attackers are demanding ransom and threatening to leak 275 million student records by May 12 if schools refuse to pay.
What happened
On the morning of May 8, students and faculty at hundreds of colleges and universities logged into Canvas — only to be greeted with a threatening message instead of a login form. The ShinyHunters extortion group had exploited a vulnerability in Instructure’s systems to deface the Canvas login portals of approximately 330 educational institutions simultaneously. The defacement also appeared in the Canvas mobile app.
The message was blunt: ShinyHunters claimed it had breached Instructure a second time, accused the company of ignoring their earlier contact and simply applying “security patches,” and warned that data belonging to students at listed schools would be publicly leaked unless institutions reached out privately to negotiate a settlement.
“ShinyHunters has breached Instructure (again). Instead of contacting us to resolve it they ignored us and did some ‘security patches’… If any of the schools in the affected list are interested in preventing the release of their data, please consult with a cyber advisory firm and contact us privately.” — ShinyHunters defacement message, May 8, 2026
The defacements were visible for roughly 30 minutes before Instructure pulled Canvas offline and placed the platform in maintenance mode. When Canvas came back up, the ransom message had been replaced with a standard maintenance notice.
ShinyHunters Canvas Breach: A Second Attack in Eight Months
This attack didn’t come out of nowhere. In September 2025, ShinyHunters had already breached Instructure’s Salesforce environment through a social engineering campaign, reportedly as part of a larger operation that hit around 760 organizations. Instructure said at the time that no Canvas product data was accessed.
Then on May 1, 2026, Instructure reported a new disruption — API keys and Canvas Data 2 were showing limited availability. Days later, ShinyHunters listed Instructure on its dark-web leak site with a simple message: “PAY OR LEAK.” According to the attackers, this ShinyHunters Canvas breach was far more damaging than the first.
Attack Timeline
- September 2025 — ShinyHunters breaches Instructure’s Salesforce instance via social engineering.
- April 30, 2026 — Instructure reports limited API disruptions and places Canvas Data 2 and Canvas Beta into maintenance.
- May 1, 2026 — Instructure confirms a cybersecurity incident.
- May 3, 2026 — ShinyHunters posts Instructure on its Tor-based extortion site claiming 275 million records stolen.
- May 8, 2026 — Login portals at ~330 schools are defaced. Deadline: May 12.
What data was exposed
Instructure has confirmed that names, institutional email addresses, student ID numbers, and Canvas inbox messages were accessed. The company says there is no current evidence that passwords, dates of birth, government identification numbers, or financial data were compromised.
The sensitivity of the message data deserves particular attention. Canvas inboxes are regularly used by students to disclose medical conditions, request disability accommodations, discuss mental health concerns, and communicate with Title IX advocates. Even without passwords or financial data, this is deeply personal information.
The institutions potentially affected include Harvard, Stanford, MIT, Yale, Columbia, Princeton, and Penn State.
Who is ShinyHunters?
ShinyHunters has become one of the most prolific extortion groups operating today. The ShinyHunters Canvas breach highlights the group’s sophisticated tactics against SaaS platforms. They typically breach third-party integrations — particularly Salesforce environments — then pivot into connected systems. They also conduct voice phishing (vishing) attacks against Okta, Microsoft, and Google SSO accounts.
What should your organization do right now?
- If your institution uses Canvas, assume your users’ data has been exposed and notify them promptly.
- Institutions impacted by the ShinyHunters Canvas breach should immediately notify users and prepare for potential data leaks.
- Warn students and staff about follow-on phishing attacks.
- Audit API keys and OAuth tokens connected to Canvas. Rotate credentials immediately.
- Enable or re-verify MFA on all affected accounts.
- Review third-party SaaS integrations.
- Document your incident response now.
The bigger picture
The ShinyHunters Canvas breach serves as a wake-up call for the education sector’s cybersecurity posture. This attack landed during finals week — timing that may not be accidental. Learning management systems hold some of the most sensitive data in any organization, and they are deeply integrated with identity providers and dozens of third-party applications.
Beyond immediate response to this ShinyHunters Canvas breach, organizations must prioritize third-party risk management and maintain clear visibility into API access and data flows.
Click here to read more blog articles!